CADA Public Register of Competent Authorities

Summary Under the proposed Cloud and AI Development Act (CADA), the European Commission would maintain a centralised public register of national competent authorities. Mandated by Article 25(2), this register lists the specific authorities in each Member State responsible for enforcing the cloud sovereignty framework, along with their designated tasks and powers. For cloud service providers, this register serves as the definitive directory to identify the "competent authority of establishment"—the single body with exclusive jurisdiction over their recognition applications, audits, and compliance obligations.

Detail

The Cloud and AI Development Act (CADA) proposes a harmonised framework to strengthen the EU's cloud and AI ecosystem, with a specific focus on reducing dependencies on non-European providers and ensuring the sovereignty of cloud services used by the public sector. A critical component of this regulatory architecture is the establishment of a clear, transparent supervisory structure. To achieve this, CADA designates specific national bodies as "competent authorities" and requires their details to be published in a centralised, publicly accessible register.

The Legal Basis: Article 25

The requirements for this register are explicitly set out in Article 25 of the CADA proposal, titled "National competent authorities." This article establishes the obligations for Member States to designate these authorities and defines the Commission's role in publishing their details.

Article 25(1) mandates that Member States must designate one or more national competent authorities responsible for enforcing Chapter I of Title IV (the cloud computing sovereignty framework). This designation must occur within one year of the Regulation's entry into force. Member States are permitted to designate existing authorities, provided they are granted the necessary resources, technical expertise, and financial means to carry out their tasks impartially and effectively.

Article 25(2) is the specific provision that creates the public register. It states:

"Member States shall notify the Commission of the names of the competent authorities and of their tasks and powers. The Commission shall maintain a public register of those authorities."

This means the register is not merely a list of names; it is a comprehensive directory that includes:

1. The Names: The official titles of the designated national competent authorities.
2. Tasks and Powers: A description of the specific responsibilities and enforcement powers granted to each authority under CADA.

Article 25(3) further requires Member States to ensure that their competent authorities perform their tasks in an impartial, transparent, and timely manner. It also mandates that these authorities have sufficient technical, financial, and human resources to supervise all cloud computing service providers within their competence.

Article 25(4) establishes the principle of "exclusive competence." It specifies that the Member State where a cloud computing service provider has its main establishment (defined as the head office or registered office from which principal financial functions and operational control are exercised) has exclusive competence for enforcing the sovereignty chapter. This "single point of contact" approach is designed to simplify compliance for providers operating across multiple Member States, ensuring they do not face fragmented regulatory oversight from multiple national bodies simultaneously.

Purpose and Function of the Register

The public register serves several key functions within the CADA framework:

• Transparency and Legal Certainty: By publishing the names, tasks, and powers of competent authorities, the register provides legal certainty for market participants. Providers know exactly which body has the authority to assess their services, conduct audits, or impose penalties.
• Facilitation of Recognition: The recognition process for cloud services aiming to achieve Union assurance levels (Levels 1–4) is managed by the competent authority of the provider's establishment. The register allows providers to quickly identify this authority to submit their applications for recognition under Article 17.
• Enforcement and Oversight: The register clarifies which authority has investigative and enforcement powers. Under Article 26, competent authorities have powers to require information, carry out inspections, and impose fines or periodic penalty payments. The register ensures these powers are attributed to clearly identified bodies.
• Cross-Border Cooperation: While the authority of establishment has exclusive competence, Articles 27 and 28 establish mechanisms for mutual assistance and cross-border cooperation. The register helps authorities in other Member States identify their counterparts for information sharing and coordinated enforcement actions.

What Information Will Be Included?

Based on Article 25(2), the register will include the "names of the competent authorities and of their tasks and powers." While the exact format of the register will be determined by the Commission, it is expected to include:

• The official name of the authority.
• The Member State in which it is established.
• A summary of its statutory tasks under CADA (e.g., recognition of assurance levels, supervision of audits, enforcement of penalties).
• Contact details or links to the authority's official website for submitting applications or inquiries.

What this means for you

For cloud service providers and data centre operators subject to CADA, the public register is a vital tool for regulatory compliance and strategic planning.

1. Identify Your Regulator: If you are a cloud computing service provider established in the EU, you must identify the competent authority in your Member State of establishment. This is the body you will engage with for the recognition process under Article 17. Use the register to confirm which authority has been designated.
2. Understand Enforcement Powers: Review the "tasks and powers" listed for your competent authority. This will inform you of the scope of their investigative powers (e.g., requests for information, on-site inspections) and enforcement capabilities (e.g., fines, cessation orders) under Article 26.
3. Prepare for Recognition Applications: When applying for recognition as offering a Union assurance level, you will submit your application to the competent authority of your establishment. Knowing their specific procedures and contact points, as detailed in the register, will streamline this process.
4. Monitor Changes: The register will be maintained by the Commission, but Member States may update their designations or the scope of authorities' powers. Regularly checking the register ensures you are always engaging with the correct, up-to-date regulatory body.
5. Cross-Border Operations: If you operate in multiple Member States, remember that the authority of your main establishment has exclusive competence for the sovereignty framework. The register helps clarify this central point of contact, reducing administrative burden.

Common misconceptions

• Misconception: "Every Member State will have a unique, newly created authority."
  • Reality: Article 25(1) allows Member States to designate existing authorities. Many countries may assign these responsibilities to their data protection authorities, cybersecurity agencies, or market surveillance bodies, rather than creating new entities.
• Misconception: "I need to register with every national authority where I have customers."
  • Reality: Article 25(4) establishes that the Member State of your main establishment has exclusive competence for enforcing the sovereignty chapter. You will primarily deal with one competent authority for recognition and oversight, though cross-border cooperation mechanisms exist.
• Misconception: "The register lists all penalties and fines."
  • Reality: The register lists the powers of the authorities, including the power to impose fines. However, the specific rules on penalties, including the criteria for calculating fines, are set out in Article 24 and national laws. The register itself is a directory of authorities, not a penalty calculator.
• Misconception: "The register is only for public sector bodies."
  • Reality: The register is a tool for all market participants. While public sector bodies use it to identify authorities for risk assessments and procurement, cloud providers use it to identify who regulates them for assurance level recognition.

Related

• CADA Competent Authorities: Required Resources & Obligations
• What remedies can CADA authorities impose on providers?
• What powers do CADA national competent authorities have?
• What are national competent authorities under CADA?
• How do CADA authorities supervise cloud providers day to day?

This is general information about a draft EU regulation, not legal advice.